Security Basics mailing list archives
Thoughts on CAPTCHA
From: "Chris Barber" <cmbarber () gmail com>
Date: Tue, 15 Apr 2008 15:04:39 -0700
I was just reading on the SANS NewsBites an article about how some implementations of CAPTCHA seem to have been out smarted by software. I have seen other articles and have not paid a lot of attention to them (simply because I have been too busy). But this got my gears turning. I do not know how other people feel about CAPTCHA in its current state, but I think it needs to be upgraded. You need some form of interaction that requires the user (human) to make choices that a computer would not be able to make. Something that changes with every mouse click or keystroke. Now, my sons play an online video game where you have to key in your passcode via a web-base keypad. The keypad is displayed with all keys in some random order, each time a key is pressed the numbers change positions, like musical chairs. Here is an example: Passcode is 564 When the key pad is first displayed it may look like: 9160 583 742 After the 5 is clicked 0258 349 167 After 6 is clicked 9468 351 207 Once you click on the 4 you have access to your account This is pretty unique and I thought is was vary ingenious, you could not determine the passcode by capturing the positions of the mouse clicks because everytime you enter your passcode the keys are in different places. Now, to increase the security of this we use the same sort of random "word" generators that are currently in place and if you want display them in a similar manner with the deformed type and all. But add the layer of security where you must enter the CAPTCHA "word" with a ever changing keyboard/pad. Using 16 keys instead of 10 would give enough choices but not take that long to find the keys needed to enter the CAPTCHA "word". Just some food for thought. This is just a brain storm (or drizzle) and thought I would put it out here and see what others thought of the idea. Chris.
Current thread:
- Thoughts on CAPTCHA Chris Barber (Apr 15)
- Re: Thoughts on CAPTCHA Ayaz Ahmed Khan (Apr 16)
- RE: Thoughts on CAPTCHA Monrad.DC (Apr 16)
- Re: Thoughts on CAPTCHA Gregory Rubin (Apr 16)
- Re: Thoughts on CAPTCHA Ali, Saqib (Apr 16)
- Re: Thoughts on CAPTCHA Ali, Saqib (Apr 16)
- <Possible follow-ups>
- Re: Thoughts on CAPTCHA sameer . garg (Apr 16)
- Re: Thoughts on CAPTCHA Shreyas Zare (Apr 16)
- Re: Thoughts on CAPTCHA Gregory Rubin (Apr 16)
- Re: Thoughts on CAPTCHA Ali, Saqib (Apr 16)
- Re: Thoughts on CAPTCHA Shreyas Zare (Apr 16)
- Re: Thoughts on CAPTCHA arckeda (Apr 16)
(Thread continues...)